Web Application Firewall (WAF) provides security reports to display the protection records of each protection module. You can view the web security, bot management, and access control and throttling records on domains that are added to WAF. This allows you to analyze business security.

Notice This topic describes security reports in the WAF console released in January 2020. If your WAF instance was created before this date, see WAF security reports.

Prerequisites

  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.

Access the security report page

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, click Security report.
  4. On the Security report page that appears, click any of the following tabs to view the reports of required types: Web Security, Bot Management, and Access Control/Throttling.

Web Security tab

The Web Security tab displays protection records of the following modules: Web Intrusion Prevention, Data Leakage Prevention, Account Security, and Positive Security Model.
  • Web Intrusion Prevention: displays all web application attacks blocked by WAF. This tab consists of two areas: attack statistics (area 1 in the figure) and attack details (area 2 in the figure). You can specify a domain and query time period to search for corresponding data.Web application attacks
    • The attack statistics area includes Security attack type distribution, Top 5 attack source ips, and Top 5 attack source regions.
    • The attack details area displays the following information: Attack IP, Region, Time Attacked, Attack Type, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability. You can specify the following information to search for the records that you want to view: protection module (valid values: Regular Protection and Deep learning), attack type (valid values: SQL injection, XSS, Code execution, CRLF, Local file inclusion, Remote file inclusion, webshell, CSRF, and Other), and attack IP address.

      You can click View Details in the Actions column that corresponds to a record to access the Attack Detail pane.

      Attack Detail pane
    For more information about how to configure web intrusion prevention, see the following topics:
  • Data Leakage Prevention: displays the records of web requests that triggered data leakage prevention rules. The following information is provided: Attack IP, Region, Time Attacked, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability. You can specify a domain and query time period to search for corresponding data.Data Leakage Prevention tab

    You can click View Details in the Actions column that corresponds to a record to access the Attack Detail pane.

    For more information about how to configure data leakage prevention, see Configure data leakage prevention.

  • Account Security: displays the records of risk events that occurred at the specified endpoint during the configuration of account security. The following information is provided: Domain, Endpoint, Malicious Requests Occurred During, Blocked Requests/Total Requests, and Alert Triggered By. You can specify a domain, endpoint, and query time period to search for corresponding data.Account Security tab

    For more information about how to configure account security, see Configure account security.

  • Positive Security Model: displays the records of web application attacks that triggered automatically-generated positive security model rules. The following information is provided: Attack IP, Region, Time Attacked, Attacked URL, Method, Rule Action, Rule ID, and Attack Probability. You can specify a domain and query time period to search for corresponding data.Positive Security Model tab

    You can click View Details in the Actions column that corresponds to a record to access the Attack Detail pane.

    For more information about how to configure a positive security model, see Configure the positive security model.

Bot Management tab

The Bot Management tab displays the monitoring data of access requests of crawlers generated in websites. This tab consists of two sections: Data Trends and Real-time Monitoring in Last 10 Minutes. You can specify a domain and query time period to search for corresponding data.Bot Management tab
  • Data Trends: includes two tabs: Overview and Interception Analysis. The Overview tab displays the trend chart of total requests and access requests of crawlers that triggered the protection rules under different protection modules. The Interception Analysis tab displays the trend chart of requests and blocked requests.
  • Real-time Monitoring in Last 10 Minutes: displays the records of access requests of crawlers that triggered the protection rules under different protection modules in the last 10 minutes.

Access Control/Throttling tab

The Access Control/Throttling tab displays the records of web requests that triggered the protection rules under the following protection modules: HTTP Flood Protection, Scan Protection, and Access Control. You can specify a domain and query time period to search for corresponding data. You can also query data-related logs with one click.
  • HTTP Flood Protection: displays the trend of HTTP flood protection. The following information is provided: Total QPS, Alerts on Custom Rule Hit, Blocking on Custom Rule Hit, and Blocking on System Rule Hit. This tab also displays the data of No. of matches for different rule types (valid values: Alerts on Custom Rule Hit, Blocking on Custom Rule Hit, and Blocking on System Rule Hit).HTTP Flood Protection tab
    You can click the value of No. of matches for a rule type to access the Log Service page. The system automatically enters the query statements of the logs related to HTTP flood protection on this page to facilitate log query. For more information, see Log Analyses.Log Service page

    For more information about how to configure HTTP flood protection, see Configure HTTP flood protection.

    For more information about how to customize HTTP flood protection rules, see Create a custom protection policy.

  • Scan Protection: displays the trend of scan protection. The following information is provided: Total QPS, Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking. This tab also displays the data of No. of matches for different rule types (valid values: Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking).Scan Protection tab
    You can click the value of No. of matches for a rule type to access the Log Service page. The system automatically enters the query statements of the logs related to scan protection on this page to facilitate log query. For more information, see Log Analyses.Log Service page

    For more information about how to configure scan protection, see Configure scan protection.

  • Access Control: displays the trend of access control. The following information is provided: Total QPS, Blocking by ACL Policy, Alerts by ACL Policy, and Blocking by Blacklisting. This tab also displays the number of matches for custom rules.Access Control tab

    You can click the ID of a custom rule to view and modify the configurations of this rule in the Edit Rule dialog box that appears. For more information, see Create a custom protection policy.

    You can click the value of No. of matches for a custom rule to access the Log Service page. The system automatically enters the query statements of the logs related to access control on this page to facilitate log query. For more information, see Log Analyses.Log Service page

    For more information about how to configure access control, see Create a custom protection policy.

    For more information about how to configure an IP address blacklist, see Configure the IP blacklist.